End-to-End Network Security

Defense-in-Depth Omar Santos

  Cisco Press

  Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA

  ii End-to-End Network Security Defense-in-Depth Omar Santos Copyright© 2008 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic

or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2007 Library of Congress Cataloging-in-Publication Data: Santos, Omar. End-to-end network security : defense-in-depth / Omar Santos. p. cm.

  ISBN 978-1-58705-332-0 (pbk.) 1. Computer networks—Security measures. I. Title. TK5105.59.S313 2007 005.8—dc22 2007028287

ISBN-10: 1-58705-332-2

  Warning and Disclaimer This book is designed to provide information about end-to-end network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

  The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems.

  Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately

capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in

this book should not be regarded as affecting the validity of any trademark or service mark.

  iii Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted

with care and precision, undergoing rigorous development that involves the unique expertise of members from the

professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could

improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at

feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance.

  Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales

which may include electronic versions and/or custom covers and content particular to your business, training goals,

marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States, please contact: International Sales international@pearsoned.com Publisher Paul Boger

  Associate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Betsey Henkels Project Editor Jennifer Gallant Copy Editor Karen A. Gill Technical Editors Pavan Reddy John Stuppi Editorial Assistant Vanessa Evans Book and Cover Designer Louisa Adair Composition ICC Macmillan Inc. Indexer Ken Johnson Proofreader Anne Poynter

  iv About the Author Omar Santos is a senior network security engineer and Incident Manager within the Product Security

  Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Before his current role, Omar was a technical leader within the World Wide Security Practice and Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. He is an active member of the InfraGard organization. InfraGard is a cooperative undertaking that involves the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard is dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers and partners, as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of the Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.

  v About the Technical Reviewers

Pavan Reddy, CCIE No. 4575, currently works as a consulting systems engineer for Cisco specializing

  in network security. Pavan has been collaborating with customers and partners on the design and implementation of large-scale enterprise and service provider security architectures for nearly ten years. Before joining Cisco, Pavan worked as a network security engineer in the construction and financial industries. Pavan also holds a bachelor of science degree in computer engineering from Carnegie Mellon.

  John Stuppi, CCIE No. 11154, is a network consulting engineer for Cisco. John is responsible for

  creating, testing, and communicating effective techniques using Cisco product capabilities to provide identification and mitigation options to Cisco customers who are facing current or expected security threats. John also advises Cisco customers on incident readiness and response methodologies and assists them in DoS and worm mitigation and preparedness. John is a CCIE and a CISSP, and he holds an Information Systems Security (INFOSEC) Professional Certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey with his wife Diane and his two wonderful children, Thomas and Allison.

  vi Dedications

  I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book. I also dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and guidance, I would not have the goals that I strive to achieve today.

  —Omar Acknowledgments

  I would like to acknowledge the technical editors, Pavan Reddy and John Stuppi. Their superb technical skills and input are what make this manuscript a success. Pavan has been a technical leader and advisor within Cisco for several years. He has led many projects for Fortune 500 enterprises and service providers. He was one of the key developers of the Cisco Operational Process Model (COPM). John has also led many implementations and designs for Cisco customers. His experience in worldwide threat intelligence provides a unique breadth of knowledge and value added.

  Many thanks to my management team, who have always supported me during the development of this book. I am extremely thankful to the Cisco Press team, especially Brett Bartow, Andrew Cupp, Betsey Henkels, and Jennifer Gallant for their patience and continuous support. Finally, I would like to acknowledge the great minds within the Cisco Security Technology Group (STG), Advanced Services, and Technical Support organizations.

  vii

  viii Contents at a Glance

  Foreword xix Introduction xx

  Part I Introduction to Network Security Solutions

  3 Chapter 1 Overview of Network Security Technologies

  5 Part II Security Lifecycle: Frameworks and Methodologies

  41 Chapter 2 Preparation Phase

  43 Chapter 3 Identifying and Classifying Security Threats

  99 Chapter 4 Traceback 141

  Chapter 5 Reacting to Security Incidents 153 Chapter 6 Postmortem and Improvement 167 Chapter 7 Proactive Security Framework 177 Part III Defense-In-Depth Applied 209 Chapter 8 Wireless Security 211 Chapter 9 IP Telephony Security 261 Chapter 10 Data Center Security 297 Chapter 11 IPv6 Security 329 Part IV Case Studies 339 Chapter 12 Case Studies 341 Index

  422

  ix Contents

  

  

  

   Network Firewalls

  6 Network Address Translation (NAT)

  7 Stateful Firewalls

  9 Deep Packet Inspection

  10 Demilitarized Zones

  10 Personal Firewalls

  11

   Technical Overview of IPsec

  14 Phase 1

  14 Phase 2

  16 SSL VPNs

  18

   Pattern Matching

  20 Protocol Analysis

  21 Heuristic-Based Analysis

  21 Anomaly-Based Analysis

  21

  

   RADIUS

  23 TACACS+

  25 Identity Management Concepts

  26

   NAC Appliance

  27 NAC Framework

  33

  

  

  x

  

  

   Threat Modeling

  44 Penetration Testing

  46

  

   Common Vulnerability Scoring System

  50 Base Metrics

  51 Temporal Metrics

  51 Environmental Metrics

  52

   Who Should Be Part of the CSIRT?

  53 Incident Response Collaborative Teams

  54 Tasks and Responsibilities of the CSIRT

  54

  

   Strong Device Access Control

  59 SSH Versus Telnet

  59 Local Password Management

  61 Configuring Authentication Banners

  62 Interactive Access Control

  62 Role-Based Command-Line Interface (CLI) Access in Cisco IOS

  64 Controlling SNMP Access

  66 Securing Routing Protocols

  66 Configuring Static Routing Peers

  68 Authentication

  68 Route Filtering

  69 Time-to-Live (TTL) Security Check

  70 Disabling Unnecessary Services on Network Components

  70 Cisco Discovery Protocol (CDP)

  71 Finger

  72 Directed Broadcast

  72 Maintenance Operations Protocol (MOP)

  72 BOOTP Server

  73 ICMP Redirects

  73 IP Source Routing

  73 Packet Assembler/Disassembler (PAD)

  73 Proxy Address Resolution Protocol (ARP)

  73

  xi

  IDENT

  74 TCP and User Datagram Protocol (UDP) Small Servers

  74 IP Version 6 (IPv6)

  75 Locking Down Unused Ports on Network Access Devices

  75 Control Resource Exhaustion

  75 Resource Thresholding Notification

  76 CPU Protection

  77 Receive Access Control Lists (rACLs)

  78 Control Plane Policing (CoPP)

  80 Scheduler Allocate/Interval

  81 Policy Enforcement

  81 Infrastructure Protection Access Control Lists (iACLs)

  82 Unicast Reverse Path Forwarding (Unicast RPF)

  83 Automated Security Tools Within Cisco IOS

  84 Cisco IOS AutoSecure

  84 Cisco Secure Device Manager (SDM)

  88 Telemetry

  89

   Patch Management

  90 Cisco Security Agent (CSA)

  92

   Phased Approach

  94 Administrative Tasks

  96 Staff and Support

  96

  

  

  NetFlow 108 Enabling NetFlow 111 Collecting NetFlow Statistics from the CLI 112

  SYSLOG 115 Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches 115 Enabling Logging Cisco Catalyst Switches Running CATOS 117 Enabling Logging on Cisco ASA and Cisco PIX Security Appliances 117

  SNMP 118 Enabling SNMP on Cisco IOS Devices 119 Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances 121

  Cisco Security Monitoring, Analysis and Response System (CS-MARS) 121

  xii

  Cisco Network Analysis Module (NAM) 125 Open Source Monitoring Tools 126 Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation

  Appliances 127

  The Importance of Signatures Updates 131 The Importance of Tuning 133 Anomaly Detection Within Cisco IPS Devices 137

  

  

  xiii

   AAA 183 Cisco Guard Active Verification 185 DHCP Snooping 186

  IP Source Guard 187 Digital Certificates and PKI 188

  IKE 188 Network Admission Control (NAC) 188 Routing Protocol Authentication 189 Strict Unicast RPF 189

   Anomaly Detection 190

  IDS/IPS 190 Cisco Network Analysis Module (NAM) 191 Layer 2 and Layer 3 Information (CDP, Routing Tables, CEF Tables) 191

   CS-MARS 193 Arbor Peakflow SP and Peakflow X 193 Cisco Security Agent Management Console (CSA-MC) Basic

  Event Correlation 193

  Cisco Security Manager 195 Configuration Logger and Configuration Rollback 195 Embedded Device Managers 195 Cisco IOS XR XML Interface 196 SNMP and RMON 196 Syslog 196

   Cisco IOS Role-Based CLI Access (CLI Views) 197 Anomaly Detection Zones 198 Network Device Virtualization 198 Segmentation with VLANs 199 Segmentation with Firewalls 200 Segmentation with VRF/VRF-Lite 200

  

  xiv

  

   WEP 216 WPA 218

  802.1x on Wireless Networks 219 EAP with MD5 221 Cisco LEAP 222 EAP-TLS 223 PEAP 223 EAP Tunneled TLS Authentication Protocol (EAP-TTLS) 224 EAP-FAST 224 EAP-GTC 225 Configuring 802.1x with EAP-FAST in the Cisco Unified Wireless Solution 226 Configuring the WLC 226 Configuring the Cisco Secure ACS Server for 802.1x and EAP-FAST 229 Configuring the CSSC 233

  

  Configuring IDS/IPS Sensors in the WLC 241 Uploading and Configuring IDS/IPS Signatures 242

  

  NAC Appliance Configuration 246 WLC Configuration 255

  

  

Chapter 9 Protecting the IP Telephony Infrastructure 262 Access Layer 266 Distribution Layer 273 Core 275 Securing the IP Telephony Applications 275 Protecting Cisco Unified CallManager 276 Protecting Cisco Unified Communications Manager Express (CME) 277 Protecting Cisco Unity 281

  xv

  Protecting Cisco Unity Express 287 Protecting Cisco Personal Assistant 289

  Hardening the Cisco Personal Assistant Operating Environment 289 Cisco Personal Assistant Server Security Policies 291

  

  

   Filtering Access Control Lists (ACL) 331 ICMP Filtering 332 Extension Headers in IPv6 332

  xvi

  

  

  

  

   Creating a New Computer Security Incident Response Team (CSIRT) 403 Creating New Security Policies 404 Physical Security Policy 404 Perimeter Security Policy 404 Device Security Policy 405 Remote Access VPN Policy 405 Patch Management Policy 406 Change Management Policy 406 Internet Usage Policy 406

  xvii

  Deploying IPsec Remote Access VPN 406 Configuring IPsec Remote Access VPN 408 Configuring Load-Balancing 415

  Reacting to a Security Incident 418 Identifying, Classifying, and Tracking the Security Incident or Attack 419 Reacting to the Incident 419 Postmortem 419

  

  

  xviii Command Syntax Conventions

  The conventions used to present command syntax in this book are the same conventions used in the

  IOS Command Reference . The Command Reference describes these conventions as follows: Boldface indicates commands and keywords that are entered literally as shown. In actual •

  configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).

• Italics indicate arguments for which you supply actual values.

  Vertical bars (|) separate alternative, mutually exclusive elements. • Square brackets [ ] indicate optional elements. • Braces { } indicate a required choice. • Braces within brackets [{ }] indicate a required choice within an optional element. •

  xix

Defense-in-Depth is a phrase that is often used and equally misunderstood. This book gives an excellent

  overview of what this really means and, more importantly, how to apply certain principles to develop appropriate risk mitigation strategies. After you have assimilated the content of this book, you will have a solid understanding of several aspects of security. The author begins with an overview of the basics then provides comprehensive methodologies for preparing for and reacting to security incidents and, finally, illustrates a unique framework for managing through the lifecycle of security known as SAVE. Also provided are various Defense-in-Depth strategies covering the most current advanced technologies utilized for protecting information assets today. Equally as important are the case studies which provide the reader with real-world examples of how to put these tools, processes, methodologies, and frameworks to use. Many reference documents and lengthy periodicals delve into the world of information security. However, few can capture the essence of this discipline and also provide a high-level, demystified understanding of information security and the technical underpinning required to achieve success. Within these pages, you will find many practical tools both process related and technology related that you can draw on to improve your risk mitigation strategies. The most effective security programs combine attention to both deeply technical issues and business process issues. The author clearly demonstrates that he grasps the inherent challenges posed by combining these disparate approaches, and he conveys them in an approachable style. You will find yourself not only gaining valuable insight from End-to-End Network Security, but also returning to its pages to ensure you are on target in your endeavors. We have seen dramatic increases in the type and nature of threats to our information assets. The challenge we face is to fully understand the compensating controls and techniques that can be deployed to offset these threats and do so in a way that is consistent with the business processes and growth strategies of the businesses and government we are trying to protect. This book strikes that delicate balance, and you will find it an invaluable element of your protection initiatives far into the future.

  Bruce Murphy Vice President World Wide Security Practice Cisco

  xx

  The network security lifecycle requires specialized support and a commitment to best practice standards. In this book, you will learn best practices that draw upon disciplined processes, frameworks, expert advice, and proven technologies that will help you protect your infrastructure and organization. You will learn end-to-end security best practices, from strategy development to operations and optimization.

  This book covers the six-step methodology of incident readiness and response. You must take a proactive approach to security; an approach that starts with assessment to identify and categorize your risks. In addition, you need to understand the network security technical details in relation to security policy and incident response procedures. This book covers numerous best practices that will help you orchestrate a long-term strategy for your organization.

  Who Should Read This Book?

  The answer to this question is simple—everyone. The principles and best practices covered in this book apply to every organization. Anyone interested in network security should become familiar with the information included in this book—from network and security engineers to management and executives. This book covers not only numerous technical topics and scenarios, but also covers a wide range of operational best practices in addition to risk analysis and threat modeling.

  xxi How This Book Is Organized

  Part I of this book includes Chapter 1 which covers an introduction to security technologies and products. In Part II, which encompasses Chapters 2 through 7, you will learn the six-step methodology of incident readiness and response. Part III includes Chapters 8 through 11 which cover strategies used to protect wireless networks, IP telephony implementations, data centers, and IPv6 networks. Real-life case studies are covered in Part IV which contains Chapter 12. The following is a chapter-by-chapter summary of the contents of the book.

  Part I, “Introduction to Network Security Solutions,” includes: Chapter 1, “Overview of Network Security Technologies.” This chapter covers an introduc- •

  tion to security technologies and products. It starts with an overview of how to place firewalls to provide perimeter security and network segmentation while enforcing configured policies. It then dives into virtual private network (VPN) technologies and protocols—including

  IP Security (IPsec) and Secure Socket Layer (SSL). In addition, this chapter covers different technologies such as intrusion detection systems (IDS), intrusion protection systems (IPS), anomaly detection systems, and network telemetry features that can help you identify and classify security threats. Authentication, authorization, and accounting (AAA) offers different solutions that provide access control to network resources. This chapter introduces AAA and identity management concepts. Furthermore, it includes an overview of the Cisco Network Admission Control solutions that are used to enforce security policy compliance on all devices that are designed to access network computing resources, thereby limiting damage from emerging security threats. Routing techniques can be used as security tools. This chapter provides examples of different routing techniques, such as Remotely Triggered Black Hole (RTBH) routing and sinkholes that are used to increase the security of the network and to react to new threats.

  Part II, “Security Lifecycle: Frameworks and Methodologies,” includes: Chapter 2, “Preparation Phase.” This chapter covers numerous best practices on how to •

  better prepare your network infrastructure, security policies, procedures, and organization as a whole against security threats and vulnerabilities. This is one of the most important chapters of this book. It starts by teaching you risk analysis and threat modeling techniques. You will also learn guidelines on how to create strong security policies and how to create Computer Security Incident Response Teams (CSIRT). Topics such as security intelligence and social engineering are also covered in this chapter. You will learn numerous tips on how to increase the security of your network infrastructure devices using several best practices to protect the control, management, and data plane. Guidelines on how to better secure end-user systems and servers are also covered in this chapter.

  xxii Chapter 3, “Identifying and Classifying Security Threats.” This chapter covers the next •

  two phases of the six-step methodology for incident response—identification and classification of security threats. You will learn how important it is to have complete network visibility and control to successfully identify and classify security threats in a timely fashion. This chapter covers different technologies and tools such as Cisco NetFlow, SYSLOG, SNMP, and others which can be used to obtain information from your network and detect anomalies that might be malicious activity. You will also learn how to use event correlation tools such as CS-MARS and open source monitoring systems in conjunction with NetFlow to allow you to gain better visibility into your network. In addition, this chapter covers details about anomaly detection,

  IDS, and IPS solutions by providing tips on IPS/IDS tuning and the new anomaly detection features supported by Cisco IPS.

  Chapter 4, “Traceback.” Tracing back the source of attacks, infected hosts in worm •

  outbreaks, or any other security incident can be overwhelming for many network administrators and security professionals. Attackers can use hundreds or thousands of botnets or zombies that can greatly complicate traceback and hinder mitigation once traceback succeeds. This chapter covers several techniques that can help you successfully trace back the sources of such threats. It covers techniques used by service providers and enterprises.

  Chapter 5, “Reacting to Security Incidents.” This chapter covers several techniques that •

  you can use when reacting to security incidents. It is extremely important for organizations to have adequate incident handling policies and procedures in place. This chapter shows you several tips on how to make sure that your policies and procedures are adequate to successfully respond to security incidents. You will also learn general information about different laws and practices to use when investigating security incidents and computer crimes. In addition, this

  chapter includes details about different tools you can use to mitigate attacks and other security incidents with your network infrastructure components including several basic computer forensics topics.

  Chapter 6, “Postmortem and Improvement.” It is highly recommended that you complete a •

  postmortem after responding to security incidents. This postmortem should identify the strengths and weaknesses of the incident response effort. With this analysis, you can identify weaknesses in systems, infrastructure defenses, or policies that allowed the incident to take place. In addition, a postmortem helps you identify problems with communication channels, interfaces, and procedures that hampered the efficient resolution of the reported problem. This chapter covers several tips on creating postmortems and executing post-incident tasks. It includes guidelines for collecting post-incident data, documenting lessons learned during the incident, and building action plans to close gaps that are identified.

  Chapter 7, “Proactive Security Framework.” This chapter covers the Security • Assessment, Validation, and Execution (SAVE) framework. SAVE, formerly known as

  the Cisco Operational Process Model (COPM), is a framework initially developed for service providers, but its practices are applied to enterprises and organizations. This chapter provides examples of techniques and practices that can allow you to gain and maintain visibility and control over the network during normal operations or during the course of a security incident or an anomaly in the network.

  xxiii

  Part III, “Defense-In-Depth Applied,” includes: Chapter 8, “Wireless Security.” When designing and deploying wireless networks, it is •

  important to consider the unique security challenges that can be inherited. This chapter includes best practices to use when deploying wireless networks. You will learn different types of authentication mechanisms, including 802.1x, which is used to enhance the security of wireless networks. In addition, this chapter includes an overview of the Lightweight Access Point Protocol (LWAPP), Cisco Location Services, Management Frame Protection (MFP), and other wireless features to consider when designing security within your wireless infrastructure. The chapter concludes with step-by-step configuration examples of the integration of IPS and the Cisco NAC Appliance on the Cisco Unified Wireless Network solution.

  Chapter 9, “IP Telephony Security.” IP Telephony solutions are being deployed at a fast •

  rate in many organizations. The cost savings introduced with Voice over IP (VoIP) solutions are significant. On the other hand, these benefits can be heavily impacted if you do not have the appropriate security mechanisms in place. In this chapter, you will learn several techniques used to increase the security of IP Telephony networks. This chapter covers how to secure different IP telephony components such as the Cisco Unified CallManager, Cisco Unified CME, Cisco Unity, Cisco Unity Express, and Cisco Unified Personal Assistant. In addition, it covers several ways to protect against voice eavesdropping attacks.

  Chapter 10, “Data Center Security.” In this chapter, you will learn the security strategies, •

  technologies, and products designed to protect against attacks on your data center from both inside and outside the enterprise. Integrated security technologies, including secure connectivity, threat defense, and trust and identity management systems, create a Defense-in-Depth strategy to protect each application and server environment across the consolidated IP, storage, and interconnect data center networking infrastructure. Configuration examples of different solutions such as the Firewall Services Module (FWSM), the Intrusion Detection/Prevention System Module (IDSM), and the Application Control Engine (ACE) module for the Catalyst 6500 series switches are covered in detail. This chapter also covers the use of Layer 2 to Layer 7 security features in infrastructure components to successfully identify, classify, and mitigate security threats within the data center.

  Chapter 11, “IPv6 Security.” This chapter covers an introduction to security topics in • Internet Protocol Version 6 (IPv6) implementations. Although it is assumed that you already

  have a rudimentary understanding of IPv6, this chapter covers basic IPv6 topics. This chapter details the most common IPv6 security threats and the best practices that many organizations adopt to protect their IPv6 infrastructure. IPsec in IPv6 is also covered, with guidelines on how to configure Cisco IOS routers to terminate IPsec in IPv6 networks.

  Part IV, “Case Studies,” includes: Chapter 12, “Case Studies.” This chapter covers several case studies representing •

  small, medium-sized, and large-scale enterprises. Detailed example configurations and implementation strategies of best practices learned in earlier chapters are covered to enhance learning.

  

  

Chapter 1 Overview of Network Security Technologies

  This chapter covers the following topics:

• Firewalls
• Virtual Private Networks (VPN)
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
• Anomaly Detection Systems
• Authentication, Authorization, and Accounting (AAA) and Identity Management
• Network Admission Control
• Routing Mechanisms as Security Tools

  

  

  Technology can be considered your best friend. Nowadays, you can do almost everything over networked systems or the Internet—from simple tasks, such as booking a flight reservation, to a multibillion dollar wire transfer between two large financial organizations. You cannot take security for granted! An attacker can steal credit card information from your online travel reservation or launch a denial of service (DoS) attack to disrupt a wire transfer. It is extremely important to learn new techniques and methodologies to combat electronic penetrations, data thefts, and cyberattacks on critical information systems.

  Organizations and individuals must educate themselves to be able to select the appropriate security technologies, tools, and methodologies to prevent and mitigate any security threats before they impact the business. This chapter describes the most common and widely used security products and technologies. These products and technologies include the following:

• Firewalls
• Virtual private networks (VPN)
• Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
• Anomaly detection systems
• Authentication, authorization, and accounting (AAA) and identity management
• Network admission control

  

NOTE This chapter introduces a range of security technologies and products. Becoming familiar

  with these topics will help you understand the methodologies and solutions presented in the rest of this book.

  

  If you are a network administrator, security engineer, manager, or simply an end user, you have probably heard of, used, or configured a firewall. Historically, firewalls have been used as barriers to keep intruders and destructive forces away from your network. Today,

  6

Chapter 1: Overview of Network Security Technologies

  firewalls and security appliances have many robust and sophisticated features beyond the traditional access control rules and policies. As you read through this section, you will learn more about the different types of firewalls and how they work, the threats they can protect you from, and their limitations.

  

TIP A detailed understanding of how firewalls and their related technologies work is extremely

  important for all network security professionals. This knowledge will help them to configure and manage the security of their networks accurately and effectively.

  Several network firewall solutions offer user and application policy enforcement that provides multivector attack protection for different types of security threats. They often provide logging capabilities that allow the security administrators to identify, investigate, validate, and mitigate such threats. In addition, several software applications can run on a system to protect only that host. These types of applications are known as personal firewalls. This section includes an overview of both network and personal firewalls and their related technologies.

  Network Firewalls

  Network firewalls come in many flavors and colors. They range from simple packet filters to sophisticated solutions that include stateful and deep-packet inspection features. For example, you can configure simple access control lists (ACL) on a router to prevent an attacker from accessing corporate resources. Figure 1-1 illustrates how to configure a router to block access from unauthorized hosts and users on the Internet.

  Basic Packet Filter—Router with Basic ACLs Figure 1-1

  Corporate Network

  IOS Router Internet Attacker

  In Figure 1-1, the router is configured to deny all incoming traffic from Internet hosts to its protected network (the corporate network). In this example, an attacker tries to scan the protected network from the Internet, and the router drops all traffic.

  Firewalls 7

NOTE The use and configuration of different types of ACLs is covered in Chapter 2, “Preparation

  Phase.” The purpose of packet filters is to control access to specific network segments by defining which traffic can pass through to them. Packet filters usually inspect incoming traffic at the transport layer of the Open Systems Interconnection (OSI) model. For example, packet filters can analyze TCP or UDP packets and judge them against a set of predetermined rules called ACLs. They inspect the following elements within a packet:

• Source address
• Destination address
• Source port
• Destination port
• Protocol Basic packet filters commonly do not inspect additional Layer 3 and Layer 4 fields such as sequence numbers, TCP control flags, and TCP acknowledgement (ACK) fields.

  

NOTE The previous example illustrates a router configured with only a basic ACL. The Cisco IOS

  firewall solution provides enterprises and small/medium businesses sophisticated features beyond the traditional packet filters.

  Network Address Translation (NAT)

  Firewalls can also provide Network Address Translation (NAT) services. They can translate the IP addresses of protected hosts to a publicly routable address.

  

NOTE Firewalls often use NAT; however, other devices such as routers and wireless access points

provide support for NAT.

  Figure 1-2 shows how a firewall translates the IP address of an internal host (192.168.1.100) to a public IP address (209.165.200.225) when the host attempts to access Cisco.com.

  8

Chapter 1: Overview of Network Security Technologies

  Basic NAT Figure 1-2

  Firewall Internet cisco.com

  192.168.1.100 209.165.200.225 Private Address Translated Address

  NAT enables organizations to use any IP address space as the internal network. A best practice is to use the address spaces that are reserved for private use (see RFC 1918, “Address Allocation for Private Internets”). Table 1-1 lists the private address ranges specified in RFC 1918.

  Table 1-1 Private Address Ranges Specified in RFC 1918

  IP Address Range Network Mask 10.0.0.0 to 10.255.255.255 10.0.0.0/8 172.16.0.0 to 172.31.255.255 172.16.0.0/12 192.168.0.0 to 192.168.255.255 192.168.0.0/16

  NAT techniques come in various types. The most common are Port Address Translation (PAT) and Static NAT. PAT allows many devices on a network segment to be translated to one IP address by inspecting the Layer 4 information on the packet. Figure 1-3 illustrates how three different machines on the corporate network are translated to a single public address.

  In Figure 1-3, the host with IP address 192.168.1.100 attempts to access the web server with

  IP address 209.165.200.230. The firewall translates the internal address to 209.165.200.226 using the source TCP port 1024 and mapping it to TCP port 1234. Notice that the destination port remains the same (port 80) .

  Firewalls 9 PAT

  Figure 1-3 Source Address: 192.168.1.100 Source Address: 209.165.200.226 Destination Address: 209.165.200.230 Destination Address: 209.165.200.230 Source Port: 1024 Source Port: 1234 Destination Port: 80 Destination Port: 80

  (PAT) Internet 192.168.1.0/24 209.165.200.230

  Firewall Stateful Firewalls

  Stateful inspection firewalls track every connection passing through their interfaces by examining not only the packet header contents but also the application layer information within the payload. This is done to find out more about the transaction than just the source and destination addresses and ports. Typically, a stateful firewall monitors the state of the connection and maintains a table with the Layer 3 and Layer 4 information. More sophisticated firewalls perform upper-layer protocol analysis, also known as deep-packet

  inspection , which is discussed later in this chapter. The state of the connection details

  whether such connection has been established, closed, reset, or is being negotiated. These mechanisms offer protection for different types of network attacks. Cisco IOS firewall, Cisco Adaptive Security Appliances (ASA), Cisco PIX firewalls, and the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 series switches are examples of stateful firewalls. They also have other rich features such as deep packet inspection.

  10

Chapter 1: Overview of Network Security Technologies

  NOTE For detailed deployment, configuration, and troubleshooting information, see the

  Cisco Press book titled Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance .

  Deep Packet Inspection

  Several applications require special handling of data packets when they pass through firewalls. These include applications and protocols that embed IP addressing information in the data payload of the packet or open secondary channels on dynamically assigned ports. Sophisticated firewalls and security appliances such as the Cisco ASA, Cisco PIX firewall, and Cisco IOS firewall offer application inspection mechanisms to handle the embedded addressing information to allow the previously mentioned applications and protocols to work. Using application inspection, these security appliances can identify the dynamic port assignments and allow data exchange on these ports during a specific connection. With deep packet inspection, firewalls can look at specific Layer 7 payloads to protect against security threats. For example, you can configure a Cisco ASA or a Cisco PIX firewall running version 7.0 or later to not allow peer-to-peer (P2P) applications to be transferred over HTTP tunnels. You can also configure these devices to deny specific FTP commands, HTTP content types, and other application protocols.

  NOTE The Cisco ASA and Cisco PIX firewall running version 7.0 or later provide a Modular

  Policy Framework (MPF) that allows a consistent and flexible way to configure application inspection and other features in a manner similar to the Cisco IOS Software Modular quality of service (QoS) command-line interface (CLI).

  Demilitarized Zones

  Numerous firewalls can configure network segments (or zones), usually called

  demilitarized zones (DMZ). These zones provide security to the systems that reside

  within them with different security levels and policies between them. DMZs have a couple of purposes: as segments on which a web server farm resides or as extranet connections to a business partner. Figure 1-4 shows a firewall (a Cisco ASA in this case) with two DMZs.

  Firewalls 11 DMZ Example

  Figure 1-4

Web Server Farm

Internal

  Network DMZ 1

  

Cisco ASA

Internet DMZ 2

  Extranet Connection to a Business Partner

Partner Network

In Figure 1-4, DMZ 1 hosts web servers that are accessible by internal and Internet hosts.

  The Cisco ASA controls access from an extranet business partner connection on DMZ 2.

  

NOTE In large organizations, you can deploy multiple firewalls in different segments and DMZs.

  Personal Firewalls

  Personal firewalls are popular software applications that you can install on end-user machines or servers to protect them from external security threats and intrusions. The term

  personal firewall typically applies to basic software that can control Layer 3 and Layer 4

  access to client machines. Today, sophisticated software is available that not only provides basic personal firewall features but also protects the system based on the behavior of the applications installed on such systems. An example of this type of software is the Cisco Security Agent (CSA). CSA provides several features that offer more robust security than a traditional personal firewall. The following are CSA-rich security features:

• Host intrusion prevention
• Protection against spyware
• Protection against buffer overflow attacks

  12

Chapter 1: Overview of Network Security Technologies

• Distributed host firewall features
• Malicious mobile code protection
• Operating system integrity assurance
• Application inventory
• Extensive audit and logging capabilities

  NOTE Host intrusion prevention systems (HIPS) are detailed and described later in this chapter.

  

  Organizations of all sizes deploy VPNs to provide data integrity, authentication, and data encryption to assure confidentiality of the packets sent over an unprotected network or the Internet. VPNs are designed to avoid the cost of unnecessary leased lines. Many different protocols are used for VPN implementations, including these:

• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Forwarding (L2F) Protocol
• Layer 2 Tunneling Protocol (L2TP)
• Generic Routing Encapsulation (GRE) Protocol
• Multiprotocol Label Switching (MPLS) VPN
• Internet Protocol Security (IPsec)
• Secure Socket Layer (SSL)

  

NOTE PPTP, L2F, L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication, and

  data encryption. On the other hand, you can combine L2TP, GRE, and MPLS with IPsec to provide these benefits. Many organizations use IPsec as their preferred protocol because it supports all three features described earlier (data integrity, authentication, and data encryption).

  VPN implementations can be categorized into two distinct groups:

• Site-to-site VPNs: Allow organizations to establish VPN tunnels between two or more sites so that they can communicate over a shared medium such as the Internet.

  Many organizations use IPsec, GRE, and MPLS VPN as site-to-site VPN protocols.

  Virtual Private Networks (VPN) 13

• Remote-access VPNs: Allow users to work from remote locations such as their